Appendix 8 – Privacy Policy for the CFTC Web Site

Privacy & SECURITY

The privacy of visitors to our Web site is of the utmost importance to the CFTC. You are not required to give us any personal information to visit our Web site. While we automatically collect certain data for statistical purposes, that data does not include your name, mailing or email address.

Information Collected and Stored Automatically

If you visit the CFTC Web site to read or download information, such as press releases or publications, we will collect and store certain technical information about your visit. We do not collect your name, email, mailing address or similar identifying information. We only collect the following:

On your end, the name of the domain (the machine or Web site) from which you access the Internet (for example, http://www.aol.com if you are connecting from an America Online account) and/or the name and Internet Protocol (IP) address of the server you are using to access the CFTC Web site (the IP address is a series of numbers that identifies a server or computer connected to the Internet);

The name and version of the Web browser used to access a CFTC Web page (for example, Microsoft Explorer or Firefox);

On our side, the name and IP address of the CFTC server that received and logged the request;

The date and time the request was received, and

The information you are accessing (for example, which page or image you choose to read or download).

We use this information to measure the number of visitors to the different sections of our Web site, assess system performance and to help us make the Web site more useful to our visitors. In the event of a computer security incident, such data may be manually analyzed to allow computer security specialists to identify Internet service providers and, in extreme cases, to attempt to identify the specific computer and individual involved in an attack on the CFTC’s site. The information below on “Intrusion Detection Monitoring” further explains this.

“Cookies”

The information being collected automatically, as explained above, is collected through the use of “session cookies” set through Google Analytics. “Session cookies” are small bits of text placed on a user’s hard drive for the duration of a Web session, i.e., for as long as your browser is accessing the CFTC Web site at one time. As soon as you close the CFTC Web site, the cookie [expires/is deleted].

The CFTC does not use “persistent cookies,” which are small bits of text saved on a user’s hard drive in order to identify that user, or information about that user, the next time the user logs on the a Web site. However, for some videos that are visible on http://www.cftc.gov or available on YouTube, a "persistent cookie" may be set by the third party providers when you click to play the video.

If You Choose to Send Us Personal Information

You may choose to send us information which personally identifies you. For example, you may complete an on-line form, send a complaint concerning a regulated person or entity, report suspicious activity, send a comment or input on a proposed rule, or email the CFTC through the Web site. Such information is used to respond to your request and to help us get you the information you have requested. We also use the information for the specific purposes identified on each form or on the Web page requesting information.

For example, if you send us a comment letter on a proposed rule, that letter becomes part of the CFTC’s comment file and generally is available to the public. The comments help the CFTC and other members of the public evaluate proposed Commission actions.

You may submit other forms to us, such as Freedom of Information Act requests or requests for correction of information. Such forms may contain information that CFTC staff use to track and respond to your request. Information you provide to the CFTC Division of Enforcement on our Report Suspicious Activities or Information form may be shared with other law enforcement or other Federal agencies when appropriate.

Sharing of Your Information

The personal information you choose to provide to us will be shared with CFTC employees and contractors who need to know the information in the course of their official duties. Such employees and contractors are subject to confidentiality restrictions to protect your personal information. The information may also be shared by the CFTC with third parties to advance the purpose for which you provide the information, including other federal or state government agencies. For example, if you report suspicious activity that suggests a violation of the CEA, the information you have provided may be shared with other Federal or state authorities. In this situation, the primary use of your personally identifiable information would be to enable the government to contact you in the event we have questions regarding the information you have reported.

Under certain circumstances, the CFTC may be required by law to disclose information you submit to other authorities for official purposes, for example, to respond to a Congressional inquiry or subpoena.

When you choose to send e-mail to the CFTC, you are consenting to the CFTC using the information provided therein, including personally identifiable information, in accordance with this notice, unless you expressly state in the email your objection to any use.

Linking to Other Web sites

We provide links to Federal and non-Federal Web sites if we think they may be useful to our visitors or necessary for the performance of agency functions. This includes commercial Web sites such as Facebook, Twitter, Flickr and YouTube.

When you follow a link to a non-CFTC Web site, you will first be directed to a Web page that reminds you that you are leaving http://www.cftc.gov and that the Web site you are about to visit is not endorsed by the CFTC. These other Web sites are not within the CFTC’s control. The CFTC does not guarantee the accuracy or completeness of any information on these sites. Be aware that the privacy protection provided to you on http://www.cftc.gov may not be available at the external link. Once you link to another site, you are subject to the policies of that site.

Use of Social Media Sites

The CFTC uses Twitter, Facebook, Flickr and YouTube as additional ways to provide information to the public. Flickr and YouTube allow the CFTC to post pictures and videos that may be of interest to the public. Facebook allows the Commission to reach out to a different audience, those who may not seek out http://www.cftc.gov. Twitter allows us to post microblogs known as “tweets,” i.e., text-based posts of up to 140 characters. The tweets allow our Office of Public Affairs to quickly notify reporters, the public and other “followers” of a new press release, upcoming event or other information of interest.

Using these media, the CFTC generally will not collect, maintain, or disseminate personally identifiable information (“PII”) about individuals who “follow,” “like” or comment upon the CFTC’s information.

However, in unusual circumstances (such as a threat against Commission staff or a tweet suggesting a violation of the CEA), the CFTC may collect, maintain or disseminate an individual’s PII for purposes of investigation. In such a situation, the information collected would be that information the individual had voluntarily made available to the CFTC because of actions he or she took on our social media page, such as following the CFTC’s tweets or commenting on our profile page. (The CFTC would use a subpoena or other appropriate legal process to obtain any information that the individual had not made available to the CFTC or widely made available to other social media users.) PII collected and maintained for investigations would be added to the CFTC’s investigative systems, the uses, purposes, disclosures and retention of which are described in Privacy Act System of Record Notice CFTC-10, Investigatory Records (Exempted), at Federal Register 66 Fed. Reg. 41842 (2001), as it may be amended.

A few other specific exceptions may apply, as explained in our Privacy Impact Assessments. For example, with Twitter, other than investigations, the only PII that would be collected would be for internal news clips; we may quote a “tweet” in our news clips, adding the name of the reporter to give him or her credit.

To mitigate the risk of unauthorized access to any PII through the use of social media, only specifically designated Office of Public Affairs staff or other staff authorized by the Chief Privacy Officer and/or Chief Information Officer generally will have access to the CFTC social media sites. In the rare situation where an investigation is needed, only a select number of staff with a true “need to know” the information to perform their job duties would be allowed to access information in our investigative systems, and as further explained in System of Record Notice CFTC-10, Investigatory Records (Exempted). Such staff receive special training concerning the sensitive nature of investigatory information.

Security

Personal information collected and maintained by the CFTC are protected from unauthorized access and misuse through comprehensive administrative, technical and physical security measures. Administrative measures include a privacy governance structure, mandatory annual privacy and security training for all CFTC employees, internal policies and controls over data handling practices, and regular auditing of systems. Technical security measures within CFTC include restrictions on computer access to authorized individuals, required use of strong passwords that are frequently changed, use of encryption for certain data types and transfers, and regular review of security procedures and best practices to enhance security. Physical measures include restrictions on building access to authorized individuals only and maintaining records in lockable offices and filing cabinets.

Intrusion Detection Monitoring

The CFTC uses software programs to monitor this Web site for security purposes to ensure it remains available to all users and to protect information in the system. By accessing this Web site, you are expressly consenting to these monitoring activities. Unauthorized attempts to defeat or circumvent security features; to use the system for other than intended purposes; to deny service to authorized users; to access, obtain, alter, damage, or to destroy information; or otherwise to interfere with the system or its operation are prohibited. Evidence of such acts may be disclosed to law enforcement authorities and result in criminal prosecution under the Computer Fraud and Abuse Act of 1986 and the National Information Infrastructure Protection Act of 1996, 18 USC 1030, or other applicable criminal laws. Except for authorized law enforcement investigations, no other attempts are made to identify individual users or their usage habits.